FDA: Medical device cybersecurity necessary, but optional
The US Food and Drug Administration released guidance last week in which it suggested that medical-device manufacturers consider the dangers of hacking in the design of their products, while not requiring countermeasures.
The nine-page document informs companies of the agency’s “current thinking” on the topic of cybersecurity. In it, the FDA recommended that companies assess any dangers on the intentional or unintentional misuse of a device in their design stage. In addition, medical devices and systems should detect and log attacks and allow technicians to react to such attacks, whether through patching a vulnerability or other action.
“The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information,” the agency stated, adding that “manufacturers should address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks.”
Security researchers have shown that a variety of medical devices can be hacked, putting their users in danger. In 2013, for example, a number of larger systems–such as ventilators, patient monitors, and surgical and anesthesia devices–were found to have hardcoded passwords, letting unauthorized users access the systems. In 2011, a hacker showed that many wireless insulin pump models are vulnerable to attacks, raising the specter that a fatal dosage could be triggered by an over-the-air attack.
Because lives can depend on medical personnel having access to critical devices and information, cybersecurity is more challenging in a healthcare environment. While medical records need to be safeguarded from improper access, a doctor—who may not have been previously authorized—may need immediate access to a patient’s medical file. For medical devices, the situation is simpler, but a variety of personnel may need access to the device, making traditional access control a difficult prospect.
The FDA recognized the challenges.
“Security controls should not unreasonably hinder access to a device intended to be used during an emergency situation,” the agency stated in its guidance, adding a recommendation “that medical device manufacturers provide justification in the premarket submission for the security functions chosen for their medical devices.”
While the guidelines show that the medical device industry is cognizant of the problems that cybersecurity poses to medical devices, they need to do more, Paul Paget, CEO of offensive-hacking firm Pwnie Express, said in a statement to Ars.
“The nine-page document will not stem the tide of insecure medical devices and networks, many of which are vulnerable to cyber attack,” he said. “Organizations consistently need to check to ensure that their medical devices and networks are secure.”